Validate Azure AD Device Dynamic Membership Rules in Preview

Validate Azure AD Device Dynamic Membership Rules in Preview

Previously when creating queries for dynamic membership rules in Azure AD, you would have to create the group, then provide the syntax, and then wait anywhere from 5-10 minutes while Azure AD evaluates the group members.  When first starting out, this can add up to hours of timing waiting for results.  Microsoft now has added rules validation into Azure AD Dynamic groups.  This is currently in preview, and saves quite a bit of time when unsure about the syntax of your queries.  When getting started Microsoft does provide some documentation below:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership

In this example, I am creating an Azure AD Dynamic Device group for Windows 10 1909 devices.  Once I add my syntax, I can now click on Validate Rules and test.

Next click on +Add Devices to provide test cases for your rule syntax.

Add your test workstation devices from Azure AD and click Validate.

Click View details to find out why a device does not match the query.

In this case, the workstation was a BYOD device instead of Company owned.

This small, but nice, quality of life addition to Azure AD groups can save you quite a bit of time when setting up Dynamic User or Dynamic Device groups in Azure AD.  Here are some common syntax strings useful when managing Windows 10 with Intune in Azure AD as well:

Azure AD Dynamic Device Queries – Intune Managed Devices

All Windows 10 Corporate Devices (Company Owned)

(device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”)

All Windows 10 1909 Corporate Devices

(device.deviceOSVersion -startsWith “10.0.18363”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1903 Corporate Devices

(device.deviceOSVersion -startsWith “10.0.18362”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1809 Corporate Devices

(device.deviceOSVersion -startsWith “10.0.17763”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1803 Corporate Devices

(device.deviceOSVersion -startsWith “10.0.17134”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 BYOD Devices (Personal)

(device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Personal”)

All Windows 10 1909 BYOD Devices

(device.deviceOSVersion -startsWith “10.0.18363”) and (device.deviceOwnership -eq “Personal”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1903 BYOD Devices

(device.deviceOSVersion -startsWith “10.0.18362”) and (device.deviceOwnership -eq “Personal”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1809 BYOD Devices

(device.deviceOSVersion -startsWith “10.0.17763”) and (device.deviceOwnership -eq “Personal”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)

All Windows 10 1803 BYOD Devices

(device.deviceOSVersion -startsWith “10.0.17134”) and (device.deviceOwnership -eq “Personal”) and (device.deviceOSType -eq “Windows”) and (device.managementType -eq “MDM”)